diff -up openssh-8.6p1/configure.ac.pkcs11-uri openssh-8.6p1/configure.ac

--- openssh-8.6p1/configure.ac.pkcs11-uri	2021-05-06 11:35:55.101653187 +0200

+++ openssh-8.6p1/configure.ac	2021-05-06 11:35:55.111653265 +0200

@@ -1974,12 +1974,14 @@ AC_LINK_IFELSE(

 	[AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).])

 ])

+SCARD_MSG="yes"

 disable_pkcs11=

 AC_ARG_ENABLE([pkcs11],

 	[  --disable-pkcs11        disable PKCS#11 support code [no]],

 	[

 		if test "x$enableval" = "xno" ; then

 			disable_pkcs11=1

+			SCARD_MSG="no"

 		fi

 	]

 )

@@ -2008,6 +2010,40 @@ AC_SEARCH_LIBS([dlopen], [dl])

 AC_CHECK_FUNCS([dlopen])

 AC_CHECK_DECL([RTLD_NOW], [], [], [#include <dlfcn.h>])

+# Check whether we have a p11-kit, we got default provider on command line

+DEFAULT_PKCS11_PROVIDER_MSG="no"

+AC_ARG_WITH([default-pkcs11-provider],

+	[  --with-default-pkcs11-provider[[=PATH]]   Use default pkcs11 provider (p11-kit detected by default)],

+	[ if test "x$withval" != "xno" && test "x$disable_pkcs11" = "x"; then

+		if test "x$withval" = "xyes" ; then

+			AC_PATH_TOOL([PKGCONFIG], [pkg-config], [no])

+			if test "x$PKGCONFIG" != "xno"; then

+				AC_MSG_CHECKING([if $PKGCONFIG knows about p11-kit])

+				if "$PKGCONFIG" "p11-kit-1"; then

+					AC_MSG_RESULT([yes])

+					use_pkgconfig_for_p11kit=yes

+				else

+					AC_MSG_RESULT([no])

+				fi

+			fi

+		else

+			PKCS11_PATH="${withval}"

+		fi

+		if test "x$use_pkgconfig_for_p11kit" = "xyes"; then

+			PKCS11_PATH=`$PKGCONFIG --variable=proxy_module p11-kit-1`

+		fi

+		AC_CHECK_FILE("$PKCS11_PATH",

+			[ AC_DEFINE_UNQUOTED([PKCS11_DEFAULT_PROVIDER], ["$PKCS11_PATH"], [Path to default PKCS#11 provider (p11-kit proxy)])

+			  DEFAULT_PKCS11_PROVIDER_MSG="$PKCS11_PATH"

+			],

+			[ AC_MSG_ERROR([Requested PKCS11 provided not found]) ]

+		)

+	else

+		AC_MSG_WARN([Needs PKCS11 support to enable default pkcs11 provider])

+	fi ]

+)

+

+

 # IRIX has a const char return value for gai_strerror()

 AC_CHECK_FUNCS([gai_strerror], [

 	AC_DEFINE([HAVE_GAI_STRERROR])

@@ -5564,6 +5600,7 @@ echo "                  BSD Auth support

 echo "              Random number source: $RAND_MSG"

 echo "             Privsep sandbox style: $SANDBOX_STYLE"

 echo "                   PKCS#11 support: $enable_pkcs11"

+echo "          Default PKCS#11 provider: $DEFAULT_PKCS11_PROVIDER_MSG"

 echo "                  U2F/FIDO support: $enable_sk"

 echo ""

diff -up openssh-8.6p1/Makefile.in.pkcs11-uri openssh-8.6p1/Makefile.in

--- openssh-8.6p1/Makefile.in.pkcs11-uri	2021-05-06 11:35:55.054652818 +0200

+++ openssh-8.6p1/Makefile.in	2021-05-06 11:58:16.895135904 +0200

@@ -103,7 +103,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \

 	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-ecdsa-sk.o \

 	ssh-ed25519-sk.o ssh-rsa.o dh.o \

 	msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \

-	ssh-pkcs11.o smult_curve25519_ref.o \

+	ssh-pkcs11.o ssh-pkcs11-uri.o smult_curve25519_ref.o \

 	poly1305.o chacha.o cipher-chachapoly.o cipher-chachapoly-libcrypto.o \

 	ssh-ed25519.o digest-openssl.o digest-libc.o \

 	hmac.o sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o \

@@ -300,6 +300,8 @@ clean:	regressclean

 	rm -f regress/unittests/sshsig/test_sshsig$(EXEEXT)

 	rm -f regress/unittests/utf8/*.o

 	rm -f regress/unittests/utf8/test_utf8$(EXEEXT)

+	rm -f regress/unittests/pkcs11/*.o

+	rm -f regress/unittests/pkcs11/test_pkcs11$(EXEEXT)

 	rm -f regress/misc/sk-dummy/*.o

 	rm -f regress/misc/sk-dummy/*.lo

 	rm -f regress/misc/sk-dummy/sk-dummy.so

@@ -337,6 +339,8 @@ distclean:	regressclean

 	rm -f regress/unittests/sshsig/test_sshsig

 	rm -f regress/unittests/utf8/*.o

 	rm -f regress/unittests/utf8/test_utf8

+	rm -f regress/unittests/pkcs11/*.o

+	rm -f regress/unittests/pkcs11/test_pkcs11

 	(cd openbsd-compat && $(MAKE) distclean)

 	if test -d pkg ; then \

 		rm -fr pkg ; \

@@ -511,6 +515,7 @@ regress-prep:

 	$(MKDIR_P) `pwd`/regress/unittests/sshkey

 	$(MKDIR_P) `pwd`/regress/unittests/sshsig

 	$(MKDIR_P) `pwd`/regress/unittests/utf8

+	$(MKDIR_P) `pwd`/regress/unittests/pkcs11

 	$(MKDIR_P) `pwd`/regress/misc/sk-dummy

 	[ -f `pwd`/regress/Makefile ] || \

 	    ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile

@@ -674,6 +679,16 @@ regress/unittests/utf8/test_utf8$(EXEEXT

 	    regress/unittests/test_helper/libtest_helper.a \

 	    -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)

+UNITTESTS_TEST_PKCS11_OBJS=\

+	regress/unittests/pkcs11/tests.o

+

+regress/unittests/pkcs11/test_pkcs11$(EXEEXT): \

+    ${UNITTESTS_TEST_PKCS11_OBJS} \

+    regress/unittests/test_helper/libtest_helper.a libssh.a

+	$(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_PKCS11_OBJS) \

+	    regress/unittests/test_helper/libtest_helper.a \

+	    -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)

+

 # These all need to be compiled -fPIC, so they are treated differently.

 SK_DUMMY_OBJS=\

 	regress/misc/sk-dummy/sk-dummy.lo \

@@ -711,7 +726,8 @@ regress-unit-binaries: regress-prep $(RE

 	regress/unittests/sshbuf/test_sshbuf$(EXEEXT) \

 	regress/unittests/sshkey/test_sshkey$(EXEEXT) \

 	regress/unittests/sshsig/test_sshsig$(EXEEXT) \

-	regress/unittests/utf8/test_utf8$(EXEEXT)

+	regress/unittests/utf8/test_utf8$(EXEEXT) \

+	regress/unittests/pkcs11/test_pkcs11$(EXEEXT) \

 tests:	file-tests t-exec interop-tests unit

 	echo all tests passed

diff -up openssh-8.6p1/regress/agent-pkcs11.sh.pkcs11-uri openssh-8.6p1/regress/agent-pkcs11.sh

--- openssh-8.6p1/regress/agent-pkcs11.sh.pkcs11-uri	2021-04-16 05:55:25.000000000 +0200

+++ openssh-8.6p1/regress/agent-pkcs11.sh	2021-05-06 11:35:55.112653273 +0200

@@ -113,7 +113,7 @@ else

 	done

 	trace "remove pkcs11 keys"

-	echo ${TEST_SSH_PIN} | notty ${SSHADD} -e ${TEST_SSH_PKCS11} > /dev/null 2>&1

+	${SSHADD} -e ${TEST_SSH_PKCS11} > /dev/null 2>&1

 	r=$?

 	if [ $r -ne 0 ]; then

 		fail "ssh-add -e failed: exit code $r"

diff -up openssh-8.6p1/regress/Makefile.pkcs11-uri openssh-8.6p1/regress/Makefile

--- openssh-8.6p1/regress/Makefile.pkcs11-uri	2021-04-16 05:55:25.000000000 +0200

+++ openssh-8.6p1/regress/Makefile	2021-05-06 11:59:24.465658383 +0200

@@ -119,7 +119,8 @@ CLEANFILES=	*.core actual agent-key.* au

 		known_hosts known_hosts-cert known_hosts.* krl-* ls.copy \

 		modpipe netcat no_identity_config \

 		pidfile putty.rsa2 ready regress.log remote_pid \

-		revoked-* rsa rsa-agent rsa-agent.pub rsa.pub rsa_ssh2_cr.prv \

+		revoked-* rsa rsa-agent rsa-agent.pub rsa-agent-cert.pub \

+		rsa.pub rsa_ssh2_cr.prv pkcs11*.crt pkcs11*.key pkcs11.info \

 		rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \

 		scp-ssh-wrapper.scp setuid-allowed sftp-server.log \

 		sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \

@@ -249,6 +250,7 @@ unit:

 		V="" ; \

 		test "x${USE_VALGRIND}" = "x" || \

 		    V=${.CURDIR}/valgrind-unit.sh ; \

+		 $$V ${.OBJDIR}/unittests/pkcs11/test_pkcs11 ; \

 		 $$V ${.OBJDIR}/unittests/sshbuf/test_sshbuf ; \

 		 $$V ${.OBJDIR}/unittests/sshkey/test_sshkey \

 			-d ${.CURDIR}/unittests/sshkey/testdata ; \

diff -up openssh-8.6p1/regress/pkcs11.sh.pkcs11-uri openssh-8.6p1/regress/pkcs11.sh

--- openssh-8.6p1/regress/pkcs11.sh.pkcs11-uri	2021-05-06 11:35:55.112653273 +0200

+++ openssh-8.6p1/regress/pkcs11.sh	2021-05-06 11:35:55.112653273 +0200

@@ -0,0 +1,349 @@

+#

+#  Copyright (c) 2017 Red Hat

+#

+#  Authors: Jakub Jelen <jjelen@redhat.com>

+#

+#  Permission to use, copy, modify, and distribute this software for any

+#  purpose with or without fee is hereby granted, provided that the above

+#  copyright notice and this permission notice appear in all copies.

+#

+#  THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

+#  WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

+#  MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR

+#  ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

+#  WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN

+#  ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF

+#  OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

+

+tid="pkcs11 tests with soft token"

+

+try_token_libs() {

+	for _lib in "$@" ; do

+		if test -f "$_lib" ; then

+			verbose "Using token library $_lib"

+			TEST_SSH_PKCS11="$_lib"

+			return

+		fi

+	done

+	echo "skipped: Unable to find PKCS#11 token library"

+	exit 0

+}

+

+try_token_libs \

+	/usr/local/lib/softhsm/libsofthsm2.so \

+	/usr/lib64/pkcs11/libsofthsm2.so \

+	/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so

+

+TEST_SSH_PIN=1234

+TEST_SSH_SOPIN=12345678

+if [ "x$TEST_SSH_SSHPKCS11HELPER" != "x" ]; then

+	SSH_PKCS11_HELPER="${TEST_SSH_SSHPKCS11HELPER}"

+	export SSH_PKCS11_HELPER

+fi

+

+test -f "$TEST_SSH_PKCS11" || fatal "$TEST_SSH_PKCS11 does not exist"

+

+# setup environment for softhsm token

+DIR=$OBJ/SOFTHSM

+rm -rf $DIR

+TOKEN=$DIR/tokendir

+mkdir -p $TOKEN

+SOFTHSM2_CONF=$DIR/softhsm2.conf

+export SOFTHSM2_CONF

+cat > $SOFTHSM2_CONF << EOF

+# SoftHSM v2 configuration file

+directories.tokendir = ${TOKEN}

+objectstore.backend = file

+# ERROR, WARNING, INFO, DEBUG

+log.level = DEBUG

+# If CKF_REMOVABLE_DEVICE flag should be set

+slots.removable = false

+EOF

+out=$(softhsm2-util --init-token --free --label token-slot-0 --pin "$TEST_SSH_PIN" --so-pin "$TEST_SSH_SOPIN")

+slot=$(echo -- $out | sed 's/.* //')

+

+# prevent ssh-agent from calling ssh-askpass

+SSH_ASKPASS=/usr/bin/true

+export SSH_ASKPASS

+unset DISPLAY

+# We need interactive access to test PKCS# since it prompts for PIN

+sed -i 's/.*BatchMode.*//g' $OBJ/ssh_proxy

+

+# start command w/o tty, so ssh accepts pin from stdin (from agent-pkcs11.sh)

+notty() {

+	perl -e 'use POSIX; POSIX::setsid();

+	    if (fork) { wait; exit($? >> 8); } else { exec(@ARGV) }' "$@"

+}

+

+trace "generating keys"

+ID1="02"

+ID2="04"

+RSA=${DIR}/RSA

+EC=${DIR}/EC

+openssl genpkey -algorithm rsa > $RSA

+openssl pkcs8 -nocrypt -in $RSA |\

+    softhsm2-util --slot "$slot" --label "SSH RSA Key $ID1" --id $ID1 \

+	--pin "$TEST_SSH_PIN" --import /dev/stdin

+openssl genpkey \

+    -genparam \

+    -algorithm ec \

+    -pkeyopt ec_paramgen_curve:prime256v1 |\

+    openssl genpkey \

+    -paramfile /dev/stdin > $EC

+openssl pkcs8 -nocrypt -in $EC |\

+    softhsm2-util --slot "$slot" --label "SSH ECDSA Key $ID2" --id $ID2 \

+	--pin "$TEST_SSH_PIN" --import /dev/stdin

+

+trace "List the keys in the ssh-keygen with PKCS#11 URIs"

+${SSHKEYGEN} -D ${TEST_SSH_PKCS11} > $OBJ/token_keys

+if [ $? -ne 0 ]; then

+	fail "FAIL: keygen fails to enumerate keys on PKCS#11 token"

+fi

+grep "pkcs11:" $OBJ/token_keys > /dev/null

+if [ $? -ne 0 ]; then

+	fail "FAIL: The keys from ssh-keygen do not contain PKCS#11 URI as a comment"

+fi

+

+# Set the ECDSA key to authorized keys

+grep "ECDSA" $OBJ/token_keys > $OBJ/authorized_keys_$USER

+

+trace "Simple connect with ssh (without PKCS#11 URI)"

+echo ${TEST_SSH_PIN} | notty ${SSH} -I ${TEST_SSH_PKCS11} \

+    -F $OBJ/ssh_proxy somehost exit 5

+r=$?

+if [ $r -ne 5 ]; then

+	fail "FAIL: ssh connect with pkcs11 failed (exit code $r)"

+fi

+

+trace "Connect with PKCS#11 URI"

+trace "  (ECDSA key should succeed)"

+echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy \

+    -i "pkcs11:id=%${ID2}?module-path=${TEST_SSH_PKCS11}" somehost exit 5

+r=$?

+if [ $r -ne 5 ]; then

+	fail "FAIL: ssh connect with PKCS#11 URI failed (exit code $r)"

+fi

+

+trace "  (RSA key should fail)"

+echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy \

+     -i "pkcs11:id=%${ID1}?module-path=${TEST_SSH_PKCS11}" somehost exit 5

+r=$?

+if [ $r -eq 5 ]; then

+	fail "FAIL: ssh connect with PKCS#11 URI succeeded (should fail)"

+fi

+

+trace "Connect with PKCS#11 URI including PIN should not prompt"

+trace "  (ECDSA key should succeed)"

+${SSH} -F $OBJ/ssh_proxy -i \

+    "pkcs11:id=%${ID2}?module-path=${TEST_SSH_PKCS11}&pin-value=${TEST_SSH_PIN}" somehost exit 5

+r=$?

+if [ $r -ne 5 ]; then

+	fail "FAIL: ssh connect with PKCS#11 URI failed (exit code $r)"

+fi

+

+trace "  (RSA key should fail)"

+${SSH} -F $OBJ/ssh_proxy -i \

+    "pkcs11:id=%${ID1}?module-path=${TEST_SSH_PKCS11}&pin-value=${TEST_SSH_PIN}" somehost exit 5

+r=$?

+if [ $r -eq 5 ]; then

+	fail "FAIL: ssh connect with PKCS#11 URI succeeded (should fail)"

+fi

+

+trace "Connect with various filtering options in PKCS#11 URI"

+trace "  (by object label, ECDSA should succeed)"

+echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy \

+    -i "pkcs11:object=SSH%20ECDSA%20Key%2004?module-path=${TEST_SSH_PKCS11}" somehost exit 5

+r=$?

+if [ $r -ne 5 ]; then

+	fail "FAIL: ssh connect with PKCS#11 URI failed (exit code $r)"

+fi

+

+trace "  (by object label, RSA key should fail)"

+echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy \

+     -i "pkcs11:object=SSH%20RSA%20Key%2002?module-path=${TEST_SSH_PKCS11}" somehost exit 5

+r=$?

+if [ $r -eq 5 ]; then

+	fail "FAIL: ssh connect with PKCS#11 URI succeeded (should fail)"

+fi

+

+trace "  (by token label, ECDSA key should succeed)"

+echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy \

+    -i "pkcs11:id=%${ID2};token=token-slot-0?module-path=${TEST_SSH_PKCS11}" somehost exit 5

+r=$?

+if [ $r -ne 5 ]; then

+	fail "FAIL: ssh connect with PKCS#11 URI failed (exit code $r)"

+fi

+

+trace "  (by wrong token label, should fail)"

+echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy \

+     -i "pkcs11:token=token-slot-99?module-path=${TEST_SSH_PKCS11}" somehost exit 5

+r=$?

+if [ $r -eq 5 ]; then

+	fail "FAIL: ssh connect with PKCS#11 URI succeeded (should fail)"

+fi

+

+

+

+

+trace "Test PKCS#11 URI specification in configuration files"

+echo "IdentityFile \"pkcs11:id=%${ID2}?module-path=${TEST_SSH_PKCS11}\"" \

+    >> $OBJ/ssh_proxy

+trace "  (ECDSA key should succeed)"

+echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy somehost exit 5

+r=$?

+if [ $r -ne 5 ]; then

+	fail "FAIL: ssh connect with PKCS#11 URI in config failed (exit code $r)"

+fi

+

+# Set the RSA key as authorized

+grep "RSA" $OBJ/token_keys > $OBJ/authorized_keys_$USER

+

+trace "  (RSA key should fail)"

+echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy somehost exit 5

+r=$?

+if [ $r -eq 5 ]; then

+	fail "FAIL: ssh connect with PKCS#11 URI in config succeeded (should fail)"

+fi

+sed -i -e "/IdentityFile/d" $OBJ/ssh_proxy

+

+trace "Test PKCS#11 URI specification in configuration files with bogus spaces"

+echo "IdentityFile \"    pkcs11:?module-path=${TEST_SSH_PKCS11}    \"" \

+    >> $OBJ/ssh_proxy

+echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy somehost exit 5

+r=$?

+if [ $r -ne 5 ]; then

+	fail "FAIL: ssh connect with PKCS#11 URI with bogus spaces in config failed" \

+	    "(exit code $r)"

+fi

+sed -i -e "/IdentityFile/d" $OBJ/ssh_proxy

+

+

+trace "Combination of PKCS11Provider and PKCS11URI on commandline"

+trace "  (RSA key should succeed)"

+echo ${TEST_SSH_PIN} | notty ${SSH} -F $OBJ/ssh_proxy \

+    -i "pkcs11:id=%${ID1}" -I ${TEST_SSH_PKCS11} somehost exit 5

+r=$?

+if [ $r -ne 5 ]; then

+	fail "FAIL: ssh connect with PKCS#11 URI and provider combination" \

+	    "failed (exit code $r)"

+fi

+

+trace "Regress: Missing provider in PKCS11URI option"

+${SSH} -F $OBJ/ssh_proxy \

+    -o IdentityFile=\"pkcs11:token=segfault\" somehost exit 5

+r=$?

+if [ $r -eq 139 ]; then

+	fail "FAIL: ssh connect with missing provider_id from configuration option" \

+	    "crashed (exit code $r)"

+fi

+

+

+trace "SSH Agent can work with PKCS#11 URI"

+trace "start the agent"

+eval `${SSHAGENT} -s` >  /dev/null

+

+r=$?

+if [ $r -ne 0 ]; then

+	fail "could not start ssh-agent: exit code $r"

+else

+	trace "add whole provider to agent"

+	echo ${TEST_SSH_PIN} | notty ${SSHADD} \

+	    "pkcs11:?module-path=${TEST_SSH_PKCS11}" #> /dev/null 2>&1

+	r=$?

+	if [ $r -ne 0 ]; then

+		fail "FAIL: ssh-add failed with whole provider: exit code $r"

+	fi

+

+	trace " pkcs11 list via agent (all keys)"

+	${SSHADD} -l > /dev/null 2>&1

+	r=$?

+	if [ $r -ne 0 ]; then

+		fail "FAIL: ssh-add -l failed with whole provider: exit code $r"

+	fi

+

+	trace " pkcs11 connect via agent (all keys)"

+	${SSH} -F $OBJ/ssh_proxy somehost exit 5

+	r=$?

+	if [ $r -ne 5 ]; then

+		fail "FAIL: ssh connect failed with whole provider (exit code $r)"

+	fi

+

+	trace " remove pkcs11 keys (all keys)"

+	${SSHADD} -d "pkcs11:?module-path=${TEST_SSH_PKCS11}" > /dev/null 2>&1

+	r=$?

+	if [ $r -ne 0 ]; then

+		fail "FAIL: ssh-add -d failed with whole provider: exit code $r"

+	fi

+

+	trace "add only RSA key to the agent"

+	echo ${TEST_SSH_PIN} | notty ${SSHADD} \

+	    "pkcs11:id=%${ID1}?module-path=${TEST_SSH_PKCS11}" > /dev/null 2>&1

+	r=$?

+	if [ $r -ne 0 ]; then

+		fail "FAIL ssh-add failed with RSA key: exit code $r"

+	fi

+

+	trace " pkcs11 connect via agent (RSA key)"

+	${SSH} -F $OBJ/ssh_proxy somehost exit 5

+	r=$?

+	if [ $r -ne 5 ]; then

+		fail "FAIL: ssh connect failed with RSA key (exit code $r)"

+	fi

+

+	trace " remove RSA pkcs11 key"

+	${SSHADD} -d "pkcs11:id=%${ID1}?module-path=${TEST_SSH_PKCS11}" \

+	    > /dev/null 2>&1

+	r=$?

+	if [ $r -ne 0 ]; then

+		fail "FAIL: ssh-add -d failed with RSA key: exit code $r"

+	fi

+

+	trace "add only ECDSA key to the agent"

+	echo ${TEST_SSH_PIN} | notty ${SSHADD} \

+	    "pkcs11:id=%${ID2}?module-path=${TEST_SSH_PKCS11}" > /dev/null 2>&1

+	r=$?

+	if [ $r -ne 0 ]; then

+		fail "FAIL: ssh-add failed with second key: exit code $r"

+	fi

+

+	trace " pkcs11 connect via agent (ECDSA key should fail)"

+	${SSH} -F $OBJ/ssh_proxy somehost exit 5

+	r=$?

+	if [ $r -eq 5 ]; then

+		fail "FAIL: ssh connect passed with ECDSA key (should fail)"

+	fi

+

+	trace "add also the RSA key to the agent"

+	echo ${TEST_SSH_PIN} | notty ${SSHADD} \

+	    "pkcs11:id=%${ID1}?module-path=${TEST_SSH_PKCS11}" > /dev/null 2>&1

+	r=$?

+	if [ $r -ne 0 ]; then

+		fail "FAIL: ssh-add failed with first key: exit code $r"

+	fi

+

+	trace " remove ECDSA pkcs11 key"

+	${SSHADD} -d "pkcs11:id=%${ID2}?module-path=${TEST_SSH_PKCS11}" \

+	    > /dev/null 2>&1

+	r=$?

+	if [ $r -ne 0 ]; then

+		fail "ssh-add -d failed with ECDSA key: exit code $r"

+	fi

+

+	trace " remove already-removed pkcs11 key should fail"

+	${SSHADD} -d "pkcs11:id=%${ID2}?module-path=${TEST_SSH_PKCS11}" \

+	    > /dev/null 2>&1

+	r=$?

+	if [ $r -eq 0 ]; then

+		fail "FAIL: ssh-add -d passed with non-existing key (should fail)"

+	fi

+

+	trace " pkcs11 connect via agent (the RSA key should be still usable)"

+	${SSH} -F $OBJ/ssh_proxy somehost exit 5

+	r=$?

+	if [ $r -ne 5 ]; then

+		fail "ssh connect failed with RSA key (after removing ECDSA): exit code $r"

+	fi

+

+	trace "kill agent"

+	${SSHAGENT} -k > /dev/null

+fi

diff -up openssh-8.6p1/regress/unittests/Makefile.pkcs11-uri openssh-8.6p1/regress/unittests/Makefile

--- openssh-8.6p1/regress/unittests/Makefile.pkcs11-uri	2021-04-16 05:55:25.000000000 +0200

+++ openssh-8.6p1/regress/unittests/Makefile	2021-05-06 11:35:55.112653273 +0200

@@ -2,6 +2,6 @@

 REGRESS_FAIL_EARLY?=	yes

 SUBDIR=	test_helper sshbuf sshkey bitmap kex hostkeys utf8 match conversion

-SUBDIR+=authopt misc sshsig

+SUBDIR+=authopt misc sshsig pkcs11

 .include <bsd.subdir.mk>

diff -up openssh-8.6p1/regress/unittests/pkcs11/tests.c.pkcs11-uri openssh-8.6p1/regress/unittests/pkcs11/tests.c

--- openssh-8.6p1/regress/unittests/pkcs11/tests.c.pkcs11-uri	2021-05-06 11:35:55.112653273 +0200

+++ openssh-8.6p1/regress/unittests/pkcs11/tests.c	2021-05-06 11:35:55.112653273 +0200

@@ -0,0 +1,337 @@

+/*

+ * Copyright (c) 2017 Red Hat

+ *

+ * Authors: Jakub Jelen <jjelen@redhat.com>

+ *

+ * Permission to use, copy, modify, and distribute this software for any

+ * purpose with or without fee is hereby granted, provided that the above

+ * copyright notice and this permission notice appear in all copies.

+ *

+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR

+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN

+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF

+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

+ */

+

+#include "includes.h"

+

+#include <locale.h>

+#include <string.h>

+

+#include "../test_helper/test_helper.h"

+

+#include "sshbuf.h"

+#include "ssh-pkcs11-uri.h"

+

+#define EMPTY_URI compose_uri(NULL, 0, NULL, NULL, NULL, NULL, NULL, NULL)

+

+/* prototypes are not public -- specify them here internally for tests */

+struct sshbuf *percent_encode(const char *, size_t, char *);

+int percent_decode(char *, char **);

+

+void

+compare_uri(struct pkcs11_uri *a, struct pkcs11_uri *b)

+{

+	ASSERT_PTR_NE(a, NULL);

+	ASSERT_PTR_NE(b, NULL);

+	ASSERT_SIZE_T_EQ(a->id_len, b->id_len);

+	ASSERT_MEM_EQ(a->id, b->id, a->id_len);

+	if (b->object != NULL)

+		ASSERT_STRING_EQ(a->object, b->object);

+	else /* both should be null */

+		ASSERT_PTR_EQ(a->object, b->object);

+	if (b->module_path != NULL)

+		ASSERT_STRING_EQ(a->module_path, b->module_path);

+	else /* both should be null */

+		ASSERT_PTR_EQ(a->module_path, b->module_path);

+	if (b->token != NULL)

+		ASSERT_STRING_EQ(a->token, b->token);

+	else /* both should be null */

+		ASSERT_PTR_EQ(a->token, b->token);

+	if (b->manuf != NULL)

+		ASSERT_STRING_EQ(a->manuf, b->manuf);

+	else /* both should be null */

+		ASSERT_PTR_EQ(a->manuf, b->manuf);

+	if (b->lib_manuf != NULL)

+		ASSERT_STRING_EQ(a->lib_manuf, b->lib_manuf);

+	else /* both should be null */

+		ASSERT_PTR_EQ(a->lib_manuf, b->lib_manuf);

+}

+

+void

+check_parse_rv(char *uri, struct pkcs11_uri *expect, int expect_rv)

+{

+	char *buf = NULL, *str;

+	struct pkcs11_uri *pkcs11uri = NULL;

+	int rv;

+

+	if (expect_rv == 0)

+		str = "Valid";

+	else

+		str = "Invalid";

+	asprintf(&buf, "%s PKCS#11 URI parsing: %s", str, uri);

+	TEST_START(buf);

+	free(buf);

+	pkcs11uri = pkcs11_uri_init();

+	rv = pkcs11_uri_parse(uri, pkcs11uri);

+	ASSERT_INT_EQ(rv, expect_rv);

+	if (rv == 0) /* in case of failure result is undefined */

+		compare_uri(pkcs11uri, expect);

+	pkcs11_uri_cleanup(pkcs11uri);

+	free(expect);

+	TEST_DONE();

+}

+

+void

+check_parse(char *uri, struct pkcs11_uri *expect)

+{

+	check_parse_rv(uri, expect, 0);

+}

+

+struct pkcs11_uri *

+compose_uri(unsigned char *id, size_t id_len, char *token, char *lib_manuf,

+    char *manuf, char *module_path, char *object, char *pin)

+{

+	struct pkcs11_uri *uri = pkcs11_uri_init();

+	if (id_len > 0) {

+		uri->id_len = id_len;

+		uri->id = id;

+	}

+	uri->module_path = module_path;

+	uri->token = token;

+	uri->lib_manuf = lib_manuf;

+	uri->manuf = manuf;

+	uri->object = object;

+	uri->pin = pin;

+	return uri;

+}

+

+static void

+test_parse_valid(void)

+{

+	/* path arguments */

+	check_parse("pkcs11:id=%01",

+	    compose_uri("\x01", 1, NULL, NULL, NULL, NULL, NULL, NULL));

+	check_parse("pkcs11:id=%00%01",

+	    compose_uri("\x00\x01", 2, NULL, NULL, NULL, NULL, NULL, NULL));

+	check_parse("pkcs11:token=SSH%20Keys",

+	    compose_uri(NULL, 0, "SSH Keys", NULL, NULL, NULL, NULL, NULL));

+	check_parse("pkcs11:library-manufacturer=OpenSC",

+	    compose_uri(NULL, 0, NULL, "OpenSC", NULL, NULL, NULL, NULL));

+	check_parse("pkcs11:manufacturer=piv_II",

+	    compose_uri(NULL, 0, NULL, NULL, "piv_II", NULL, NULL, NULL));

+	check_parse("pkcs11:object=SIGN%20Key",

+	    compose_uri(NULL, 0, NULL, NULL, NULL, NULL, "SIGN Key", NULL));

+	/* query arguments */

+	check_parse("pkcs11:?module-path=/usr/lib64/p11-kit-proxy.so",

+	    compose_uri(NULL, 0, NULL, NULL, NULL, "/usr/lib64/p11-kit-proxy.so", NULL, NULL));

+	check_parse("pkcs11:?pin-value=123456",

+	    compose_uri(NULL, 0, NULL, NULL, NULL, NULL, NULL, "123456"));

+

+	/* combinations */

+	/* ID SHOULD be percent encoded */

+	check_parse("pkcs11:token=SSH%20Key;id=0",

+	    compose_uri("0", 1, "SSH Key", NULL, NULL, NULL, NULL, NULL));

+	check_parse(

+	    "pkcs11:manufacturer=CAC?module-path=/usr/lib64/p11-kit-proxy.so",

+	    compose_uri(NULL, 0, NULL, NULL, "CAC",

+	    "/usr/lib64/p11-kit-proxy.so", NULL, NULL));

+	check_parse(

+	    "pkcs11:object=RSA%20Key?module-path=/usr/lib64/pkcs11/opencryptoki.so",

+	    compose_uri(NULL, 0, NULL, NULL, NULL,

+	    "/usr/lib64/pkcs11/opencryptoki.so", "RSA Key", NULL));

+	check_parse("pkcs11:?module-path=/usr/lib64/p11-kit-proxy.so&pin-value=123456",

+	    compose_uri(NULL, 0, NULL, NULL, NULL, "/usr/lib64/p11-kit-proxy.so", NULL, "123456"));

+

+	/* empty path component matches everything */

+	check_parse("pkcs11:", EMPTY_URI);

+

+	/* empty string is a valid to match against (and different from NULL) */

+	check_parse("pkcs11:token=",

+	    compose_uri(NULL, 0, "", NULL, NULL, NULL, NULL, NULL));

+	/* Percent character needs to be percent-encoded */

+	check_parse("pkcs11:token=%25",

+	     compose_uri(NULL, 0, "%", NULL, NULL, NULL, NULL, NULL));

+}

+

+static void

+test_parse_invalid(void)

+{

+	/* Invalid percent encoding */

+	check_parse_rv("pkcs11:id=%0", EMPTY_URI, -1);

+	/* Invalid percent encoding */

+	check_parse_rv("pkcs11:id=%ZZ", EMPTY_URI, -1);

+	/* Space MUST be percent encoded -- XXX not enforced yet */

+	check_parse("pkcs11:token=SSH Keys",

+	    compose_uri(NULL, 0, "SSH Keys", NULL, NULL, NULL, NULL, NULL));

+	/* MUST NOT contain duplicate attributes of the same name */

+	check_parse_rv("pkcs11:id=%01;id=%02", EMPTY_URI, -1);

+	/* MUST NOT contain duplicate attributes of the same name */

+	check_parse_rv("pkcs11:?pin-value=111111&pin-value=123456", EMPTY_URI, -1);

+	/* Unrecognized attribute in path are ignored with log message */

+	check_parse("pkcs11:key_name=SSH", EMPTY_URI);

+	/* Unrecognized attribute in query SHOULD be ignored */

+	check_parse("pkcs11:?key_name=SSH", EMPTY_URI);

+}

+

+void

+check_gen(char *expect, struct pkcs11_uri *uri)

+{

+	char *buf = NULL, *uri_str;

+

+	asprintf(&buf, "Valid PKCS#11 URI generation: %s", expect);

+	TEST_START(buf);